Re: LAMP vs Microsoft

[Joel Maslak <jmaslak () antelope net>]

On Jul 10, 2006, at 11:50 AM, Bob Beck wrote:

>         Yes, but what are you hoping to prove with those numbers. I think all
> you're demonstrating is what things get more attention, likely due to
> their popularity, so they make a more interesting target.  I.E.  just
> because you don't find hardly any vulnerabilities for web apps
> deployed using ANFC (ANFC == AIX, NetCat, Flat Files, and C (please
> sir can I have another..)[1]) doens't mean those that are aren't rife
> with them.

Exactly.

I have seen far too many Perl/PHP/ASP/ASP.NET/whatever apps that  
can't figure out how to do really simple stuff like quote special  
characters before passing things to a database (or, better yet, using  
stored procedures and your web language's built in parameterized SQL  
exec functions - but that'll start a different religious war).

If you are defending against the next Internet Worm, then these  
numbers may matter.  But if you are defending against data being  
compromised, the architecture of your system is much more important.

In fact, I've pretty much reduced website auditing to a single  
question (yes, it really is more complicated than this, but most  
sites fail on just this one, regardless of platform):

True/False: Someone who becomes an administrator on your public- 
facing web server can read all the data in your database?

If you answer "true" then you've already failed.  Regardless of Linux  
or Windows usage.  Does it matter if you have less bugs if it only  
takes one bug to compromise your entire architecture?


> [1] Yes, I have seen an ANFC used for real [2]
> [2] Yes, it had a hole.


I've seen very few custom web apps that *don't* have a hole.